Beruflich Dokumente
Kultur Dokumente
BITS F463
Lecture 1
Learning Objectives
Cryptography is an indispensable tool for
protecting
information
in
computer
systems
Learning to reason about the security of
cryptographic constructions and to apply
this knowledge to real-world applications
forms the crux of this course
Course Material
Textbooks:
T1: Cryptography and Network Security: Principles and Practice,
William Stallings, Fifth Edition, Pearson Education
Reference books:
R1: Cryptography and Network Security, Behrouz A. Forouzan,
McGraw-Hill, 2007
R2: Applied Cryptography, Bruce Schneier, Wiley Student Edition,
Second Edition, Singapore, 2010
R3: Handbook of Applied Cryptography: Alfred Menezes, Paul van
Oorschot, and ScoF Vanstone, CRC Press, NY
R4: Cryptography: Theory and Practice, Douglas Stinson, Chapman
and Hall/CRC, 3rd Edition, 2005.
R5: Cryptography and E-Commerce: A Wiley Tech Brief, Jon C. Graff,
John Wiley & Sons, 2000
Online Study Material:
http://online.stanford.edu/course/cryptography, https://www.coursera.org/course/crypto
BITS Pilani, Hyderabad Campus
Weightage
Mode
Test-1
Test-2
Assignments/
Term Projects
(Take Home)
Comprehensive
20%
20%
20%
Closed Book
Closed Book
Open Book
40%
Closed Book
Roadmap
Cryptographic algorithms
symmetric ciphers
asymmetric encryption
hash functions
Mutual Trust
Standards Organizations
National Institute of Standards & Technology
(NIST)
Internet Society (ISOC)
International
Telecommunication
Union
Telecommunication Standardization Sector
(ITU-T)
International Organization for Standardization
(ISO)
RSA Labs (de facto)
BITS Pilani, Hyderabad Campus
Computer Security
the protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (includes
hardware,
software,
firmware,
information/data, and telecommunications)
->NIST95 definition
BITS Pilani, Hyderabad Campus
CIA triad
Confidentiality (covers both data confidentiality and privacy): preserving
authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.
Integrity (covers both data and system integrity): Guarding against
improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity. A loss of integrity is the
unauthorized modification or destruction of information.
Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Authenticity: The property of being genuine and being able to be verified
and trusted; confidence in the validity of a transmission, a message, or
message originator.
Accountability: The security goal that generates the requirement for
actions of an entity to be traced uniquely to that entity.
Levels of Impact
3 levels of impact from a security breach
Low
Moderate
High
Low Impact
The loss could be expected to have a limited adverse effect on
organizational operations, organizational assets, or
individuals.
A limited adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might
(i) cause a degradation in mission capability to an extent
and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is
noticeably reduced;
(ii) result in minor damage to organizational assets;
(iii) result in minor financial loss; or
(iv) result in minor harm to individuals.
BITS Pilani, Hyderabad Campus
Moderate Impact
The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or
individuals.
A serious adverse effect means that, for example, the loss
might
(i) cause a significant degradation in mission capability to
an extent and duration that the organization is able to
perform its primary functions, but the effectiveness of the
functions is significantly reduced;
(ii) result in significant damage to organizational assets;
(iii) result in significant financial loss; or
(iv) result in significant harm to individuals that does not
involve loss of life or serious, life-threatening injuries.
BITS Pilani, Hyderabad Campus
High Impact
The loss could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational
assets, or individuals.
A severe or catastrophic adverse effect means that, for
example, the loss might
(i) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization
is not able to perform one or more of its primary
functions;
(ii) result in major damage to organizational assets;
(iii) result in major financial loss; or
(iv) result in severe or catastrophic harm to individuals
involving loss of life or serious life threatening injuries.
BITS Pilani, Hyderabad Campus
mechanisms
models
policies
secure
precise
broad
Security Objectives
Security objectives should include
Availability (of systems and data for intended
use only)
Integrity (of system and data)
Confidentiality (of data and system information)
Accountability (to the individual level)
Assurance (that the other four objectives have
been adequately met)
integrity
confidentiality
integrity
confidentiality
availability
accountability
confidentiality
integrity
confidentiality
integrity
assurance
Authentication
Verify identity
Authorization
Verify credentials Unauthorized
Grant rights
access
ID spoofing
ID Masquerade
Content modification
Accounting
auditing
repudiation
Availability
Continuity
Punctuality
Interruption
delay
manipulation
destruction
Falsification
repudiation
Confidentiality
exclusivity
divulging
Threats
Policy
Specification
Design
Implementation
Operation
Definitions
Computer Security - generic name for the
collection of policies/tools/mechanisms designed
to protect data and to thwart hackers
Network Security - measures to protect data
during their transmission
Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
The focus is on measures to deter, prevent, detect
and correct security violations that involve the
transmission & storage of information
BITS Pilani, Hyderabad Campus
Security Trends
Observed security trends, growth in sophistication
of attacks contrasting with decrease in skill &
knowledge needed to mount an attack.
Aspects of Security
security attack
security mechanism
security service
Security Attack
Any action that compromises the security of
information owned by an organization
Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
often threat & attack used to mean same thing
have a wide range of attacks
can focus on generic types of attacks
passive
active
BITS Pilani, Hyderabad Campus
Attack:
An assault on system security that derives from an
intelligent threat; an intelligent act that is a deliberate
attempt (method/technique) to evade security services
and violate the security services and violate the security
policy of a system
Threats
A potential occurrence that can have an undesirable effect
on the system assets or resources
Primary threats
Unauthorized access
User masquerading
Denial of service
Physical attacks
Secondary threats
Introduction of malware
Bad security administration
Bad architecture, implementation
misconfiguration
BITS Pilani, Hyderabad Campus
Fabricate message
Modify message
Handling Attacks
Passive attacks focus on Prevention
Easy to stop
Hard to detect
Security Service
enhance security of data processing systems and
information transfers of an organization
intended to counter security attacks
using one or more security mechanisms
often replicates functions normally associated
with physical documents
which, for example, have signatures, dates; need
protection from disclosure, tampering, or destruction;
be notarized or witnessed; be recorded or licensed
Security Services
X.800:
a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers
RFC 2828:
a processing or communication service provided by
a system to give a specific kind of protection to
system resources
BITS Pilani, Hyderabad Campus
Security Mechanism
a.k.a. control
feature designed to detect, prevent, or
recover from a security attack
no single mechanism that will support all
services required
however one particular element underlies
many of the security mechanisms in use:
cryptographic techniques
Summary
topic roadmap & standards organizations
security concepts:
confidentiality, integrity, availability